{{ ansible_managed | comment }}

[Unit]
Description=Prometheus Node Exporter
After=network-online.target

[Service]
Type=simple
User={{ node_exporter_system_user }}
Group={{ node_exporter_system_group }}
ExecStart={{ node_exporter_binary_install_dir }}/node_exporter \
{% for collector in node_exporter_enabled_collectors -%}
{%   if not collector is mapping %}
    --collector.{{ collector }} \
{%   else -%}
{%     set name, options = (collector.items()|list)[0] -%}
    --collector.{{ name }} \
{%     for k,v in options|dictsort %}
    --collector.{{ name }}.{{ k }}={{ v | quote }} \
{%     endfor -%}
{%   endif -%}
{% endfor -%}
{% for collector in node_exporter_disabled_collectors %}
    --no-collector.{{ collector }} \
{% endfor %}
{% if node_exporter_tls_server_config | length > 0 or node_exporter_http_server_config | length > 0 or node_exporter_basic_auth_users | length > 0 %}
    {% if node_exporter_version is version('1.5.0', '>=') %}
    --web.config.file=/etc/node_exporter/config.yaml \
    {% else %}
    --web.config=/etc/node_exporter/config.yaml \
    {% endif %}
{% endif %}
    --web.listen-address={{ node_exporter_web_listen_address }} \
    --web.telemetry-path={{ node_exporter_web_telemetry_path }}

SyslogIdentifier=node_exporter
Restart=always
RestartSec=1
StartLimitInterval=0

{% set protect_home = 'yes' %}
{% for m in ansible_mounts if m.mount.startswith('/home') %}
{%   set protect_home = 'read-only' %}
{% endfor %}
ProtectHome={{ protect_home }}
NoNewPrivileges=yes

{% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
ProtectSystem=strict
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=yes
{% else %}
ProtectSystem=full
{% endif %}

[Install]
WantedBy=multi-user.target